Netgate SG-1000 microFirewall

Author Topic: NAT Reflection with FW rules containing aliases for IP addresses do not work  (Read 148 times)

0 Members and 1 Guest are viewing this topic.

Offline mmattel

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
pfSense 2.4.2-RELEASE-p1

Having FW Rules and NAT setup with aliases for IP addresses. (Works great with split DNS)

When using NAT Reflection:

a.) Using aliases for IP addresses work but NAT Reflection DOES NOT. (Port aliases are ok)
     You need to enter fixed IP addresses to make NAT Reflection work
b.) I have not found a note in the documentation about this issue.
     This drove me nuts as all seemed to be setup correctly...

It was only by chance finding a sidenote while searching the internet about a proper setup for this combination.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9823
  • Karma: +1111/-311
    • View Profile
If you think you have found a bug you need to give specific steps to duplicate using specifics like IP addresses and stuff.  Else nobody will know how to confirm what you are seeing or fix it.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline mmattel

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Setup:

- WAN: DHCP
- LAN: 10.168.x/24
- One external IP (domain name = a.b.c.d) routed to the FW to access webservices, it is not the WAN address
- DNS resolver to resolve internal hosts on the LAN
- pfSense is gateway and DNS for LAN clients
- FW aliases for webservice_IP -> a.b.c.d, webserver_hostname -> 10.168.x.y, webserver_ports -> 80, 443
- FW NAT/Port-Forward: WAN, TCP, source: any, dest:host:webservice_IP, dest:port: webserver_ports, redirect:target: 10.168.x.y, NAT:Reflection: default
- FW Rule/WAN: IPv4, source: any, dest:host:10.168.x.y, dest:port: webserver_ports
- System/Advanced/FW&NAT, NAT Reflection mode for port forwards: Pure NAT, Enable automatic outbound NAT for Reflection: On

The above setup works. This means if you are in the LAN, you can access the webserver with his domain name. Traffic is routed thru the FW (NAT Reflection works). No split DNS used.

It stops working for clients on the LAN = no access for LAN clients to the webserver with his domain name, if you exchange 10.168.x.y with the alias: webserver_hostname

Using aliases is a great thing as you have only one place to edit things and changes pass thru. It also helps for better readability of the setup.

The issue comes up in the combination of aliases and NAT Reflection and is very hard to detect as the setup looks correct.

Either make this combaination work (preferred) and/or document the behaviour.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9823
  • Karma: +1111/-311
    • View Profile
What kind of alias are you using? Host(s) or Network(s)?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline mmattel

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
webserver_hostname has a host alias
webservice_IP has a network alias

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9823
  • Karma: +1111/-311
    • View Profile
I could not duplicate this.

WAN VIP: 172.25.228.10, Inside server 172.25.233.100


Redirect to address 172.25.228.10

# NAT Inbound Redirects
rdr on re1 proto tcp from any to 172.25.228.10 port 80 -> 172.25.233.100
# Reflection redirect
rdr on { re0 re2 enc0 openvpn } proto tcp from any to 172.25.228.10 port 80 -> 172.25.233.100

OPT1    tcp    192.168.1.100:36433 -> 172.25.233.100:80 (172.25.228.10:80)    ESTABLISHED:ESTABLISHED    2 / 1    112 B / 60 B    
LAN    tcp    192.168.1.100:36433 -> 172.25.233.100:80    ESTABLISHED:ESTABLISHED    2 / 1    112 B / 60 B


Redirect to Host Alias web_server

table <web_server> {   172.25.228.10 }
web_server = "<web_server>"

# NAT Inbound Redirects
rdr on re1 proto tcp from any to $web_server port 80 -> 172.25.233.100
# Reflection redirect
rdr on { re0 re2 enc0 openvpn } proto tcp from any to $web_server port 80 -> 172.25.233.100

OPT1    tcp    192.168.1.100:36434 -> 172.25.233.100:80 (172.25.228.10:80)    ESTABLISHED:ESTABLISHED    2 / 1    112 B / 60 B    
LAN    tcp    192.168.1.100:36434 -> 172.25.233.100:80    ESTABLISHED:ESTABLISHED    2 / 1    112 B / 60 B


Redirect to Network alias web_server_net

table <web_server_net> {   172.25.228.10/32 }
web_server_net = "<web_server_net>"

# NAT Inbound Redirects
rdr on re1 proto tcp from any to $web_server_net port 80 -> 172.25.233.100
# Reflection redirect
rdr on { re0 re2 enc0 openvpn } proto tcp from any to $web_server_net port 80 -> 172.25.233.100

OPT1    tcp    192.168.1.100:36435 -> 172.25.233.100:80 (172.25.228.10:80)    ESTABLISHED:ESTABLISHED    2 / 1    112 B / 60 B    
LAN    tcp    192.168.1.100:36435 -> 172.25.233.100:80    ESTABLISHED:ESTABLISHED    2 / 1    112 B / 60 B
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM